Aspnetcore.docs: 2FA with login provider

Created on 18 Sep 2018 · 4Comments · Source: dotnet/AspNetCore.Docs

Just some feedback around 2FA and these providers.

I wasn't able to get the mult-factor page to display if I used an external provider login. I had to add:

if (result.RequiresTwoFactor) { return RedirectToPage("./LoginWith2fa", new { ReturnUrl = returnUrl }); }

...and also change this:

var result = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, isPersistent: false, bypassTwoFactor : true);

to this:

var result = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, isPersistent: false, bypassTwoFactor : false);

In the ExternalLogin.cxhtml.cs file.

Not sure if this should reside in the 2FA configuration guidance (along with a link from this page).

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: d1612f19-f267-493a-c230-2ca18e4eb50b
Version Independent ID: d312db0f-6cf1-87ca-09b0-604a66e18a07
Content: Facebook, Google, and external provider authentication in ASP.NET Core
Content Source: aspnetcore/security/authentication/social/index.md
Product: aspnet-core
GitHub Login: @Rick-Anderson
Microsoft Alias: riande

Help wanted P1 Source - Docs.ms

Source

jasonshave

All 4 comments

@HaoK where should this information go?
@jasonshave thanks for the feedback.

Rick-Anderson on 19 Sep 2018

👍1

Is this an issue with the current templates? Or only with the docs?

HaoK on 19 Sep 2018

Template updates in this case only although it would be helpful to have an example of the Microsoft appId/secret configuration (either using the secrets file or Azure Key Vault).

Regarding code updates, the ExternalLogin.cshtml.cs file needs to have the 'if' statement to handle the case where 2FA has been configured with an external provider. Without this statement, a user configured for 2FA will be authenticated and simply signed in without moving to the 2FA page. Secondly, the bypassTwoFactor: false statement would appear to negate the ability to use it altogether.

jasonshave on 19 Sep 2018

No. This is how it should be. External logins are protected by whatever the external login provider provides. We don't then layer anything else on top. Consider, for example, Google, my Google login demands a hardware key. I should not then be subjected to a second 2fa prompt by whatever web site I'm logging into wants. The current behaviour is fine. It's by design.

Rick-Anderson on 24 Jan 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings